We get to work on the marketing side of management consultancy, more than any other aspect. About growth, and change for a better customer offering and experience. Our team is made up of classically trained marketers. We bring a healthy respect for the 1998 Data Protection Act, which was a catch up on the EU Data Protection Directive of a few years earlier. You know where this is heading. Europe and the General Data Protection Regulation.
What has the EU’s GDPR got to do with you? Well, a lot, if you maintain and process records of personal and customer data.
GDPR is a big change for marketers, and our work over several years with the Information Commissioner’s Office (ICO) gives Quadrant a heads up on what it means for marketers. Big data now coincides with big accountability, meaning there are big risks. Let us share a heads up with our readers, many of whom are waking up this New Year to GDPR.
GDPR actually is a Game Changer
Let’s put the risk in scale; likelihood = low for GDPR minded folk, liability = extreme, if not.
For example, TalkTalk had a sizeable £400,000 ICO fine around insufficient protection of customer data, in October 2016, since fixed. Any organisation in serious breach of GDPR after 2018 faces a fine of ‘4% of global turnover’. For a £2bn organisation of TalkTalk’s scale, by way of illustration, that would be a board level and executive risk of up to £74 million.
The Information Commissioner, Elizabeth Denham, delivered a speech recently on GDPR and accountability. It included plenty of good tips and a few ‘critical friend’ observations too;
“There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone.”
There are already a huge number of articles and guidances on GDPR. On that, our advice would be to stick close to, and engage with, the ICO and their free half day briefing events.
Let’s just focus on one aspect here, with thanks to the ICO for their plain speaking notes.
The GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not yet clear given that both forms of consent have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. We’d say ‘assume explicit’, in your own planning, until the tiers become better defined.
For marketers, consent under GDPR requires some form of clear affirmative action. Silence, and the fall back of pre-ticked boxes or inactivity does not constitute consent. You have to be able to verify it, and this means that some form of record must be kept of how and when consent was given. Many CRM systems will need an overhaul, and probably a data refresh. Also, individuals have a right to withdraw their consent at any time, and they will.
Where you already rely on consent that was sought under the DPA or the EC Data Protection Directive (95/46/EC), you are not required to obtain fresh consent from individuals if the standard of consent meets the new requirements under the GDPR. And here is our second top tip – appoint your Data Protection Officer (DPO), as a focus on risk. That in itself does not relieve the organisation wide responsibility, but an in-house responsible person helps.
Reasons to appoint your DPO?
- Your data processing operations require regular and systematic monitoring of data subjects (personal information) on a large scale, or
- You conduct or instruct processing of a large bulk of special categories of data (i.e. health, religion, race, sexual orientation etc.) and personal data relating to criminal convictions and offences.
The recruitment fees for DPO’s with sector sensitivity will jump, so be prepared.
Leaving Europe but not leaving GDPR
Just as our own Data Protection Act followed the earlier EU Directive, so will our organisations that come under GDPR become enforced by those provisions. Large and international brands already attract and process customer information across EU borders. The GDPR applies across the UK from 25th May next year, 2018. The government has confirmed that the UK’s decision to leave the EU does not affect the impact of the GDPR.
Marketers planning for Brexit have now just gained a New Year’s resolution for 2017. Get well ahead of GDPR, get in touch with your customers if you need to be assured of adequate consent, and appoint your Data Protection Officer.
Incoming – Consent Mailings by the Dozen
A final tip is put yourself in the place of your own customer. Our prediction is that most will be mailed with a direct marketing designed sequence of engagement and enrolment into explicit consent. From polite early permission seeking, to more pointed mailings, or incentives. Once the early consenters are gathered, new forms of motivation will be needed for organisations to be sure their databases are compliant, or limit their use, or risk that fine.
Many of us have four or five dozen organisations that process our data, currently DPA compliant. Think of that. ‘Incoming’ from 50 odd mailers over the coming year, multiplied by the number of times each may need to contact us? Several hundred individual interactions with any one customer, and any one might generate consent, or alienate and lose one.
Our last advice – do it well, and do it early. Quadrant is already getting ahead with our clients, on what to say or mail and when. Do get in touch if you want help.
Maybe we leave the last words to the Information Commissioner, Elizabeth Denham, who put customer trust into perspective, about how to avoid the wrong sort of surprises.
“Isn’t having customers’ trust a cornerstone to good business? Isn’t that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?”
Quadrant neither condones nor encourages the placement of padlocks on public bridges